After a lengthy back and forth, the German legislator last week finally decided on how to conduct the transposition of the provisions of the 5th European AML Directive into national law. The German Parliament accepted the recommended resolution of the 7th financial committee after the original draft of the federal government was heavily criticized by experts and market participants alike. Especially the so-called ring-fencing, which would have led to the situation that crypto custody service providers could not provide any other banking or financial services to their customers, was subject to heavy criticism. To the relief of the whole industry, the ring-fencing idea was abandoned. This hard to justify separation would not have been a suitable instrument to achieve the declared intention of the German federal government to develop Germany into a global blockchain hotspot. Moreover, the period in which crypto custody service providers that commercially store crypto assets for their clients and which have not been authorized by BaFin yet can continue to provide their services until the 30th of November 2020 if they apply for authorization until this date and inform BaFin until the 31st of March 2020 about the intended application. But what are the requirements that crypto custody service providers have to fulfil in 2020 to successfully apply for BaFin authorization?


Crypto custody service providers, just as any other financial services institution, have to fulfil specific legal requirements to successfully apply for BaFin authorization. That of course means that the company has to be managed by fit and proper directors, that have enough time at their disposal to sufficiently take care of the business. The professional competence (the fit part of fit and proper) of a person is, according to the German Banking Act (KWG), legally assumed if the person has worked for at least three years in a managing position of a supervised financial services institution and if he or she was responsible for the kind of financial services that the applying company wants to offer. Otherwise, the professional competence of a managing director has to be proven explicitly to BaFin in the application. This is done by meticulously proving his or her theoretical and practical abilities by e.g. submitting a monthly-detailed curriculum vitae, training and working certificates or other suitable documents like specialist publications or lecturing activities. Since the crypto custody service is about to be newly introduced as a financial service nobody will fulfil the legal assumption because nobody has three years of working experience in that field of work. Applications for the authorization of crypto custody services will therefore always rely on the individual verification of the managing directors. At the same time, BaFin will have to take into consideration that crypto custody services are a new form of financial service providers and therefore, that the not only -temporal management of a bank or other financial service provider and a proven understanding of the technical basics of crypto assets will most likely qualify a person to be the managing director of a crypto custody service provider.


With regards to the reliability and temporal availability of managing directors of crypto custody service providers there are no specific peculiarities compared with the managing directors of any other institution being subject to BaFin authorization in accordance to the German Banking Act (KWG). The reliability of a managing director has to be proven in the application. The criminal record of the candidate and e.g. an excerpt of the central trade registry next to details of the candidate’s economic situation and bankruptcy procedures (if any) are used to prove a candidate’s reliability. The temporal availability depends on how much time the proper conduction of the business probably takes. It is possible that the managing director of a crypto custody service provider holds other managing, supervisory or administrative positions next to the managing position. It is necessary to display and globally justify the required and available time of the proposed managing director vis-à-vis BaFin.


In general, financial service providers only need one professionally competent and reliable managing director who has sufficient time at his disposal to manage the service provider. Two managing directors are necessary if the service provider is authorized to acquire ownership or possession of customer’s monies or securities. The obvious reason for this regulation is to ensure the dual control principal for fiduciary and custody service providers. The crypto custody service providers will only store crypto assets. If these crypto assets are merely cryptocurrencies such as Bitcoin, Litecoin, Ripple or IOTA the still applicable administrative practice of Bafin defines them as units of account. They are therefore financial instruments but neither money nor securities in a legal sense. Therefore, one managing director would in this case be sufficient to propose in the BaFin application. The legal handling of the custody of security tokens on the other hand is not yet entirely clarified at this point. It would make sense to subsume the custody of security token under the deposit business and not under the crypto custody service, but the passed legislation does not mandate this explicitly. If it would be handled as stated above, security tokens could not be stored with crypto custody service providers but only with depository banks which regularly must have two managing directors.

Attorney Lutz Auffenberg, LL.M. (London)